We have researched a topic that should be of great concern to anyone whose family or loved ones has or may soon have a medical implant. In addition, this research reveals that malware and even virus infection is common in medical devices that are computer controlled (hint - the list of those that don't have chips is much shorter).
Our commentary on this subject will not be technical except to note that this subject is more complex than might appear at first read. After the reader has perused our thoughts, we encourage further review of the quoted articles penned by real experts.
Medical devices in the US are subject to FDA licensing and as such are approved by a process that includes measuring their functionality and efficacy. During the long and very expensive testing and approval process, software typically undergoes multiple modification as the hard and the soft components are adjusted. When the device is found to be performing well, and blessed by the FDA, it is ready for market. At that point it is usually good business to at least pause with software development so the device can be deployed. Therefore, for a time the software is in a static state while threats from the surrounding world roll onward.
All efforts heretofore have been focused on device efficacy, but with the rise of device inter-connectivity (isn't wireless great) the issue of security has been shoved into an unwelcome spotlight. Software security concerns represent a very significant challenge in devices designed to regulate or supplant human organic function.
Our staff futurists predict: 1) more congressional hearings, 2) more hastily penned FDA regulations, 3) increasing production cost and time to bring devices to market, 4) more massive legal complications for manufacturers and massive litigation opportunities for attorneys, and 5) a truly Gordian security knot that no one will be able to unravel within the next decade even if they were to begin today. This issue is not new, but its implications are accelerating faster than solutions. Despite having the most remarkably effective devices in mankind's history, we will see the development of an increasing legal morass that will stunt development and deployment, and in the end will cost many lives that would have otherwise been saved by these inventions.
Question for readers: where are most electronic medical device components manufactured?
While there are hundreds of confirmed reports of conventional computer viruses infecting medical devices in radiology, cardiac catheterization labs, sleep labs, and other clinical departments, there are no known case reports of malevolent interference that specifically target medical device function. A growing list of confirmed cybersecurity vulnerabilities in medical devices pose challenging risks to patients whose privacy or disease management depends on the proper functioning of devices.
An example of one of the enforcement reports (from November 2010) is for a PC Unit for use with infusion and monitoring systems. The reason for the recall provided in the report is: ‘‘Under certain wireless network conditions a communication error can occur, which freezes the PC Unit screen, which may result in a delay of therapy. A delay of therapy may result in serious injury and/or death’’. An example of a software related enforcement report corresponds to an ultrasound system. The reason for the recall is listed as: ‘‘The product has a software problem in which previous patient measurement data gets associated with another patient’s image’’. (ibid)